Are We All Aware Yet?

So, here we are, in November already. We've finished up with National Cyber Security Awareness Month — feel safer? I was talking with someone who observed that he remembered "National Computer Security Day" (started back in the late 1990s) that then became "National Computer Security Week" for a few years. Well, the problems didn't go away when everyone started to call it "cyber," so we switched to a whole month but only of "awareness." This is also the "Cyber Leap Ahead Year." At the same level of progress, we'll soon have "The Decade of Living Cyber Securely." The Hundred Years' War comes to mind for some reason, but I don't think our economic system will last that long with losses mounting as they are. The Singularity may not be when computers become more powerful than the human mind, but will be the point at which all intellectual property, national security information, and financial data has been stolen and is no longer under the control of its rightful owners.

Overly gloomy? Perhaps. But consider that today is also the 21st anniversary of the Morris Internet Worm. Back then, it was a big deal because a few thousand computers were affected. Meanwhile, today's news has a story about the Conficker worm passing the 7 million host level, and growing. Back in 1988 there were about 100 known computer viruses. Today, most vendors have given up trying to measure malware as the numbers are in the millions. And now we are seeing instances of fraud based on fake anti-malware programs being marketed that actually infect the hosts on which they are installed! The sophistication and number of these things are increasing non-linearly as people continue to try to defend fundamentally unsecurable systems.

And as far as awareness goes, a few weeks ago I was talking with some grad students (not from Purdue). Someone mentioned the Worm incident; several of the students had never heard of it. I'm not suggesting that this should be required study, but it is indicative of something I think is happening: the overall awareness of security issues and history seems to be declining among the population studying computing. I did a quick poll, and many of the same students only vaguely recalled ever hearing about anything such as the Orange Book or Common Criteria, about covert channels, about reference monitors, or about a half dozen other things I mentioned. Apparently, anything older than about 5 years doesn't seem to register. I also asked them to name 5 operating systems (preferably ones they had used), and once they got to 4, most were stumped (Windows, Linux, MacOS and a couple said "Multics" because I had asked about it earlier; one young man smugly added "whatever it is running on my cellphone," which turned out to be a Windows variant). No wonder everyone insists on using the same OS, the same browser, and the same 3 programming languages — they have never been exposed to anything else!

About the same time, I was having a conversation with a senior cyber security engineer of a major security defense contractor (no, I won't say which one). The engineer was talking about a problem that had been posed in a recent RFP. I happened to mention that it sounded like something that might be best solved with a capability architecture. I got a blank look in return. Somewhat surprised, I said "You know, capabilities and rings — as in Multics and System/38." The reaction to that amazed me: "Those sound kinda familiar. Are those versions of SE Linux?"

Sigh. So much for awareness, even among the professionals who are supposed to be working in security. The problems are getting bigger faster than we have been addressing them, and too many of the next generation of computing professionals don't even know the basic fundamentals or history of information security. Unfortunately, the focus of government and industry seems to continue to be on trying to "fix" the existing platforms rather than solve the actual problems. How do we get "awareness" into that mix?

There are times when I look back over my professional career and compare it to trying to patch holes in a sinking ship while the passengers are cheerfully boring new holes in the bottom to drop in chum for the circling sharks. The biggest difference is that if I was on the ship, at least I might get a little more sun and fresh air.

Comments

I’ve used HP-UX, AIX, and DG/UX. I’m typing this on a Linux box. Is that one OS? Or is it four?

This is an Ubuntu box. I’ve also currently got Debian and OpenSUSE boxen. One OS or three?

One old box now running OpenSUSE started out as SuSE 8.0—before the Novell purchase. One OS or two?

================
Spaf replies:

Underneath some of the utilities, all Linux systems are the same OS. As you note, it is tempting to even lump all the *ix systems into one, and for purposes of my posting, maybe that is the way to do it. Given the number of OS’s out there, getting exposed to other ways of doing things would be a really good idea.

Posted by
Rob
on Monday, November 16, 2009 at 08:25 PM

While I agree there is a room for improvement, there is some success in the field. I suggest highlighting some of your success stories and then offering advice to help negotiate common pitfalls that might derail the field from building on past but often times limited success.

1) Digital forensics increasingly is being accepted as the field becomes more robust and the techniques become more reliable. Digital forensics also is playing a large role in solving the attribution problem set for a broad set of nefarious activities from computer network intrusions to more traditional crimes.

2) While far from perfect, domestic and international laws are being adopted and sometimes embraced to continuously address information security issues, which are helping lower the risk for some cyber incidents and crimes.

3) Limited but increasing cooperation across sectors and governments is reducing the potential impact to acute cyber incidents.

4) Unprecedented funding for information security protection at the US Federal level is driving daily discussions and offers regular accountability through Congressional oversight.

5) Information security—thanks in large part to your continuous dedication—is a respected profession, which enables thousands of information security professionals to help and touch people worldwide.

Posted by
Hugh
on Wednesday, December 23, 2009 at 12:15 PM

Great post and I would like to add my opinion to the mix. Regarding your awareness comment, I think there are two issues here, one being ease of use and the other being information overload.

Peolpe tend to use windows because there’s no programming involved and it’s the most widly used OS. The Linux and Mac OS are far better in terms of quality but the marketing giant microsoft makes sure it’s on every new windows based pc so we ‘go with the flow’

In respect to information overload, I find it frighteneing that software I bought 12 months ago is now outdated as new and improved versions supplant it. It’s getting to the stage where any ‘new software’ is becoming outdated as quick as it’s being introduced. Where does it end?